def test_query_string():
"""
test the make_query_string function and verify that the substitution works fine
:return:
"""
# One test with real data
input_string = "SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES"
params = [
"DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), RULENAME(creeventlist)",
"38", "100"
]
query_str = function_utils.make_query_string(input_string, params)
str_expect = "SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), RULENAME(creeventlist)" \
" FROM events WHERE INOFFENSE(38) LAST 100 MINUTES"
assert query_str == str_expect
# one more random test
str1 = "First part string "
str2 = " Second part string "
str3 = " Third part string "
str4 = " Forth part string "
str5 = " Fifth part string "
input_string = str1 + "%param1%" + str2 + "%param2%" + str3 + "%param3%" + str4 + "%param4%" + str5
params = ["Param1", "Param2", "Param3", "Param4"]
query_str = function_utils.make_query_string(input_string, params=params)
str_expect = str1 + params[0] + str2 + params[1] + str3 + params[
2] + str4 + params[3] + str5
assert query_str == str_expect
def _qradar_search_function(self, event, *args, **kwargs):
"""Function: Search QRadar"""
try:
# Get the function parameters:
qradar_query = self.get_textarea_param(
kwargs.get("qradar_query")) # textarea
qradar_query_param1 = kwargs.get("qradar_query_param1") # text
qradar_query_param2 = kwargs.get("qradar_query_param2") # text
qradar_query_param3 = kwargs.get("qradar_query_param3") # text
qradar_query_param4 = kwargs.get("qradar_query_param4") # text
qradar_query_param5 = kwargs.get("qradar_query_param5") # text
qradar_query_range_start = kwargs.get(
"qradar_query_range_start") # number
qradar_query_range_end = kwargs.get(
"qradar_query_range_end") # number
log = logging.getLogger(__name__)
log.info("qradar_query: %s", qradar_query)
log.info("qradar_query_param1: %s", qradar_query_param1)
log.info("qradar_query_param2: %s", qradar_query_param2)
log.info("qradar_query_param3: %s", qradar_query_param3)
log.info("qradar_query_param4: %s", qradar_query_param4)
log.info("qradar_query_param5: %s", qradar_query_param5)
log.info("qradar_query_range_start: %s", qradar_query_range_start)
log.info("qradar_query_range_end: %s", qradar_query_range_end)
qradar_verify_cert = True
if "verify_cert" in self.options and self.options[
"verify_cert"] == "false":
qradar_verify_cert = False
timeout = None
if "search_timeout" in self.options:
timeout = self.options["search_timeout"]
log.debug("Connection to {} using {}".format(
self.options["host"], self.options["username"]))
query_string = function_utils.make_query_string(
qradar_query, [
qradar_query_param1, qradar_query_param2,
qradar_query_param3, qradar_query_param4,
qradar_query_param5
])
log.info("Running query: " + query_string)
yield StatusMessage("starting...")
qradar_client = QRadarClient(
host=self.options["host"],
username=self.options["username"],
password=self.options["qradarpassword"],
token=None,
cafile=qradar_verify_cert)
result = qradar_client.ariel_search(
query_string,
range_start=qradar_query_range_start,
range_end=qradar_query_range_end,
timeout=timeout)
yield StatusMessage("done...")
yield FunctionResult(result)
except Exception as e:
log.error(str(e))
yield FunctionError()
def _qradar_search_function(self, event, *args, **kwargs):
"""Function: Search QRadar"""
try:
required_fields = ["qradar_query", "qradar_query_all_results"]
validate_fields(required_fields, kwargs)
# Get the function parameters:
qradar_query = self.get_textarea_param(kwargs.get("qradar_query")) # textarea
qradar_query_param1 = kwargs.get("qradar_query_param1") # text
qradar_query_param2 = kwargs.get("qradar_query_param2") # text
qradar_query_param3 = kwargs.get("qradar_query_param3") # text
qradar_query_param4 = kwargs.get("qradar_query_param4") # text
qradar_query_param5 = kwargs.get("qradar_query_param5") # text
qradar_query_range_start = kwargs.get("qradar_query_range_start") # number
qradar_query_range_end = kwargs.get("qradar_query_range_end") # number
qradar_query_all_results = False
if "Yes" in kwargs.get("qradar_query_all_results")["name"]:
qradar_query_all_results = True
log = logging.getLogger(__name__)
log.info("qradar_query: %s", qradar_query)
log.info("qradar_query_param1: %s", qradar_query_param1)
log.info("qradar_query_param2: %s", qradar_query_param2)
log.info("qradar_query_param3: %s", qradar_query_param3)
log.info("qradar_query_param4: %s", qradar_query_param4)
log.info("qradar_query_param5: %s", qradar_query_param5)
log.info("qradar_query_range_start: %s", qradar_query_range_start)
log.info("qradar_query_range_end: %s", qradar_query_range_end)
log.info("qradar_query_all_results: %s", qradar_query_all_results)
qradar_verify_cert = True
if "verify_cert" in self.options and self.options["verify_cert"].lower() == "false":
qradar_verify_cert = False
timeout = None
try:
if "search_timeout" in self.options:
timeout = float(self.options["search_timeout"])
except:
log.debug("Failed to read search_timeout: {}".format(self.options["search_timeout"]))
log.debug("Connection to {} using {}".format(self.options["host"], self.options["username"]))
query_string = function_utils.make_query_string(qradar_query,
[qradar_query_param1,
qradar_query_param2,
qradar_query_param3,
qradar_query_param4,
qradar_query_param5])
log.info("Running query: " + query_string)
yield StatusMessage("starting...")
qradar_client = QRadarClient(host=self.options["host"],
username=self.options.get("username", None),
password=self.options.get("qradarpassword", None),
token=self.options.get("qradartoken", None),
cafile=qradar_verify_cert,
opts=self.opts, function_opts=self.options)
result = qradar_client.ariel_search(query_string,
qradar_query_all_results,
range_start=qradar_query_range_start,
range_end=qradar_query_range_end,
timeout=timeout)
yield StatusMessage("done...")
yield FunctionResult(result)
except Exception as e:
log.error(str(e))
yield FunctionError()